• State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 97 subscribers
  • Views 10969 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to provision account definitions dynamically depending on assigned permissions of Targetsystem?

edi.imhof
over 7 years ago

Hi

We have some target systems, mainly LDAP based and SAP, where an account shall only be provisioned if an entitlement is assigned to the identity.

This is how ist supposed to work:
User orders a business role or gets a business role dynamically assigned.
Business roles contain one or more a system roles.
System Roles contain one or more entitlements of a target system System X.

The idea would be
Create a separate Role classe "Account Assignments"
Create a business role "Account Definitions System X"
Assign the Account Definition for System X to the Business role.
Create dynamic Role for the Business role.
In the dynamic Role:

-> Evaluate all Identities with any entitlements for System X.

so all Identities with any entitlement would get an account.

Someone has an idea how to
-> Evaluate all Identities with any entitlements for System X.

Is this a good approach, or are there better methods?

Any help or comments are greatly appreciated.

Very kind regards,

Edi.

 

  • 0 over 7 years ago
    1IM Version is 7.1.1, I forgot to mention.
  • 0 over 7 years ago
    Hello Edi,

    I suggest you following approach:

    - Create a new business role (Org) that is assigned to your Account Definition
    - Create a new dynamic rule (DynamicGroup) that is assigned to your new created business role
    - Define in the dynamic rule based on the person table all persons that have an role, including an entitlement of your target system
    - Example for LDAP:
    select * from person where
    exists (select 1 from PersonHasESet phe join Eset e on phe.UID_ESet = e.UID_ESet
    join ESetHasEntitlement ehe on e.UID_ESet = ehe.UID_ESet
    join LDAPGroup l on ehe.Entitlement = l.XObjectKey)

    This Sql determine all Persons that have an role (PersonHasEset) that is associated to an LDAP entitlement (EsetHasEntitlement)

    HTH Fatih
  • 0 over 7 years ago
    Hello Fatih
    Thanks a lot for your suggestion.
    However, It seems to me your solution does consider only ldap groups that are assigned to an ESet and the Person is assigned an Eset.

    But if an Ldap Group is assigned to a Department, Costcenter, Business role or an Ldap Group is assigned directly to a Person it would not detect this.

    Im pretty new to 1IM so I wonder if the table/view PersonHasObject could be a used to identify any assigned Ldap Group?

    Best regards, and thanks again.
    Edi
  • 0 over 7 years ago

    Hi,

    i also would prefer to use the PersonHasObject Table, then it will work for all typs of group and assignment
     
    select * from
    personhasobject pho
    join unsgroup ug on pho.ObjectKey=ug.XObjectKey
    where ug.xproxycontext='LDAP' --to restrict for LDAP Group or 'ADS' for Active Directory Group or 'SAP'
     
    regards,
    tarigh

  • 0 over 7 years ago
    Hi Tariqh
    Thanks a lot for your comment on this,
    I'll give that a try.
    The only open point would be if its possible to restrict the query to Ldap groups of a specific ldap Domain.
    As we use multiple Ldap Domains as different target system we would have to distinguish per Ldap Domain and calculate the Memberships and assign the account Definition based on that specific Domain, I assume?

    Thanks again for your valuable input.

    My very best regards,
    Edi
  • 0 over 7 years ago
    Hi Edi,

    select * from
    personhasobject pho
    join unsgroup ug on pho.ObjectKey=ug.XObjectKey
    join unscontainer uc on uc.UID_UNSContainer=ug.UID_UNSContainer
    where ug.xproxycontext='LDAP'
    and uc.ident_domain='Your_LDAP_Ident_Domain_Name'

    regards,
    Tarigh
  • 0 over 7 years ago
    Hi Tarigh

    It seems i get Errors with the ug.xproxycontent when I execute:
    (This column does not exist on UNSGroup Table)

    select * from
    personhasobject pho
    join unsgroup ug on pho.ObjectKey=ug.XObjectKey
    join unscontainer uc on uc.UID_UNSContainer=ug.UID_UNSContainer
    where ug.xproxycontext='LDAP'
    and uc.ident_domain='ldap08.company.ch'

    Database error 207: Invalid column name 'xproxycontext'.
    Invalid column name 'ident_domain'.
    Invalid column name 'xproxycontext'.
    Invalid column name 'ident_domain'.

    What I do see on UNSGroup is a Column
    XObjectKey = <Key><T>LDAPGroup</T><P>a2e35894-cf5b-4545-beb8-7c6a5d9a35e0</P></Key>
    and
    UID_UNSRoot = ldap08 (ldap08)

    Do you have any idea?


    Best regards, and thanks again,
    Edi
  • 0 over 7 years ago

    Hi Edi,

    i hoped this query (from Q1IM6.1.4) will work for 1IM 7.1.1 too, but...
    sorry but i have no 7.1.1 installation at the moment, thats why i can not help you, good luck

    best regards,
    tarigh

  • 0 over 7 years ago
    Hi Tarigh
    Oh, ok so there's differences in 7.1.1
    Thanks anyway, I think you pointed me into the right direction.
    Best regards,
    Edi
  • 0 over 7 years ago

    Hi,

    Finally i found an installation of 7.0 somewhere :-)

    maybe this will help you:

    select * from personhasobject pho
    join unsgroup ug on ug.xobjectkey=pho.objectkey
    join unsroot ur on ur.uid_unsroot=ug.uid_unsroot
    join DPRNameSpace dns on dns.uid_DPRNameSpace=ur.uid_DPRNameSpace
    where dns.Ident_DPRNameSpace='LDAP'
    and ur.Ident_UNSRoot='ldap08'

    best regards,
    Tarigh